NIST Advances Cyber AI Profile Amid Rising AI-Driven Security Threats
The initiative follows a series of workshops, public comment periods, and six active projects at the National Cybersecurity Center of Excellence (NCCoE) that focus on AI and cybersecurity. In early June, the NCCoE announced it is developing a Community Profile based on the CSF for the domain of “cybersecurity of AI and AI for cybersecurity.” The profile is intended to guide how existing standards can be applied to AI systems—including agentic AI—and to help organizations manage AI‑related cyber risks. It is part of a broader federal push to secure AI agents and integrate AI into cybersecurity operations.
The effort was highlighted in a Federal News Network article that noted the NCCoE’s six projects and the director’s statement that AI is becoming “foundational to cybersecurity.” The article also referenced recent demonstrations in which Anthropic’s Claude Mythos model identified hundreds of software vulnerabilities faster than human analysts. Anthropic’s findings prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a government‑wide directive prioritizing high‑risk software vulnerabilities.
A second NIST workshop on the Cyber AI Profile gathered participants from industry, academia, and government. According to the workshop blog post, attendees emphasized the need for a consistent AI taxonomy, guidance on testing and evaluation, and the inclusion of use cases such as operational technology (OT) security. They also called for a flexible, machine‑readable format that would allow smaller organizations to adopt the profile without excessive overhead.
The CSF itself has evolved since its 2014 release. Version 2.0, published in 2024, added a new Govern function and expanded the framework’s applicability to smaller entities. NIST’s current work on the Cyber AI Profile builds on that evolution, aiming to keep the framework relevant as AI capabilities accelerate and quantum computing introduces new attack vectors.
The five strategic pillars identified by Forbes columnist Chuck Brooks—Adaptive Risk Management, Resilience via Design, Trust‑Centered Governance, Crypto‑Agility and Quantum Readiness, and Human Capital and Collaboration—provide a high‑level roadmap for enterprises navigating the AI‑enabled threat landscape. Brooks’ article, published in the “acceleration era,” argues that organizations must integrate these pillars into their risk management programs to maintain resilience.
NIST’s public comment process for the Cyber AI Profile is open through the end of July. The agency has released draft guidance and a diagram outlining the development steps, including opportunities for stakeholder input. The draft also references the NCCoE’s ongoing projects, such as the AI Agent Identity and Authorization initiative, which seeks to apply identity standards to AI agents.
The current environment underscores the urgency of the profile. Anthropic’s Claude Mythos, for example, was shown to find 271 vulnerabilities in Mozilla Firefox during testing, and the company has restricted the model to vetted partners because of the potential for misuse. These incidents illustrate the dual nature of AI: it can accelerate vulnerability discovery while also posing new risks.
For state and local governments, participation in the Cyber AI Profile working groups and timely submission of comments are recommended. The profile will likely influence future regulatory requirements and best‑practice guidance, helping agencies align their AI deployments with national security objectives.
In summary, NIST’s Cyber AI Profile represents a coordinated effort to extend the CSF to the AI domain, incorporating lessons from recent AI‑driven vulnerability discovery, federal directives, and industry feedback. The profile is expected to be finalized in late 2026, with a public‑comment period and subsequent implementation guidance.